• Peter Zijlstra's avatar
    x86/ibt: Implement FineIBT · 931ab636
    Peter Zijlstra authored
    Implement an alternative CFI scheme that merges both the fine-grained
    nature of kCFI but also takes full advantage of the coarse grained
    hardware CFI as provided by IBT.
    
    To contrast:
    
      kCFI is a pure software CFI scheme and relies on being able to read
    text -- specifically the instruction *before* the target symbol, and
    does the hash validation *before* doing the call (otherwise control
    flow is compromised already).
    
      FineIBT is a software and hardware hybrid scheme; by ensuring every
    branch target starts with a hash validation it is possible to place
    the hash validation after the branch. This has several advantages:
    
       o the (hash) load is avoided; no memop; no RX requirement.
    
       o IBT WAIT-FOR-ENDBR state is a speculation stop; by placing
         the hash validation in the immediate instruction after
         the branch target there is a minimal speculation window
         and the whole is a viable defence against SpectreBHB.
    
       o Kees feels obliged to mention it is slightly more vulnerable
         when the attacker can write code.
    
    Obviously this patch relies on kCFI, but additionally it also relies
    on the padding from the call-depth-tracking patches. It uses this
    padding to place the hash-validation while the call-sites are
    re-written to modify the indirect target to be 16 bytes in front of
    the original target, thus hitting this new preamble.
    
    Notably, there is no hardware that needs call-depth-tracking (Skylake)
    and supports IBT (Tigerlake and onwards).
    Suggested-by: default avatarJoao Moreira (Intel) <joao@overdrivepizza.com>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
    Reviewed-by: default avatarKees Cook <keescook@chromium.org>
    Link: https://lore.kernel.org/r/20221027092842.634714496@infradead.org
    931ab636
um_arch.c 12 KB